Privacy Policy | Phenohunt

1) Who We Are and Scope

This Privacy Policy describes how Soco Supply, LLC (“Soco Supply,” “we,” “us,” or “our”) collects, uses, and shares personal information when you use the Phenohunt mobile application and related websites (including app.phenohunt.com) (collectively, the “Services”).

Data Controller:
Soco Supply, LLC
1535 Farmers Ln 243, Santa Rosa, CA 95405, USA

Contact (General): support@phenohunt.com
Data Protection Contact: privacy@phenohunt.com

By using the Services, you agree to this Policy. If you do not agree, please do not use the Services.

Age Requirement. You must be 21 years of age or the legal age in your jurisdiction (whichever is higher) to use the Services.

Lawful Use Notice. The Services are intended for lawful record-keeping and educational purposes. You are solely responsible for ensuring your use complies with laws in your jurisdiction, including any that regulate certain plant species or cultivation activities.

2) Information We Collect

2.1 Information You Provide

Account Data: email address, password, display name.
Profile Data (optional): profile photo or avatar.
User Content: information you create or upload in the app, including records you create (e.g., entries about strains, conditions, ratings, profiles, journals), photos (e.g., plants, seed packs, labels), notes, tags, and other content you add.

App Permissions. With your permission, the app may access your device camera, photo library, and local storage to let you capture and upload images and save QR codes/plant tags.

2.2 Information Collected Automatically

Usage Data: features used, clicks/taps, session timestamps, and in-app navigation.
Device & App Info: device type/model, operating system, app version, time zone, language settings.
Log Data: IP address, error and crash logs, and event diagnostics.

2.3 Information from Third Parties

Google Sign-In (optional): if you sign in with Google, we receive your name, email, and profile picture as permitted by Google’s OAuth flow.

3) How We Use Information

3.1 Provide and Operate the Services (Contract)

Create and manage accounts
Sync your data across devices
Generate QR codes and plant tags
Enable real-time updates and collaboration features
Maintain functionality, security, and availability

3.2 Communicate with You

Transactional messages: account verification, password resets, security alerts, and important service updates
Marketing messages (optional/consent): email and, if you opt in, SMS/push notifications about features, tips, updates, and offers. You can withdraw consent at any time in Account → Communication Preferences or by using unsubscribe/STOP instructions.

3.3 Improve and Secure the Services (Legitimate Interests)

Diagnose issues, monitor performance, debug, and analyze usage to improve features and stability
Prevent fraud, abuse, or security incidents

3.4 Legal and Compliance

Comply with applicable laws, enforce terms, and respond to lawful requests

4) Legal Bases for Processing (EEA/UK Users)

Where GDPR/UK GDPR applies, our processing is based on:

Contract necessity (Art. 6(1)(b)) — to provide the Services you request
Consent (Art. 6(1)(a)) — for optional marketing and certain optional features
Legitimate interests (Art. 6(1)(f)) — to improve, secure, and analyze the Services in ways that do not override your rights
Legal obligation (Art. 6(1)(c)) — to meet applicable legal requirements

5) Marketing Communications

We only send marketing emails/SMS with your explicit opt-in.
You may unsubscribe at any time via in-message links (emails) or by replying STOP to SMS, or via Account → Communication Preferences in-app.
We keep a record of your consent and preferences.

We do not sell your personal information. We share it only as described below:

6.1 Service Providers (Processors)

We use carefully selected vendors for hosting, storage, authentication, email/SMS delivery, analytics, logging, and customer support. They may access personal data solely to perform services on our behalf and are bound by confidentiality and data protection terms (DPAs). Current core provider: Supabase (database, authentication, real-time sync, and storage). We may add providers in the future and will update this Policy or our in-app provider list accordingly.

6.2 Legal Requirements and Safety

We may disclose information to comply with laws or lawful requests, to protect our rights, users, or the public, or to investigate fraud or security issues. Where legally permitted and feasible, we will notify you before disclosing your data.

6.3 Business Transfers

If we undergo a merger, acquisition, financing, or sale of assets, your information may be transferred to the successor entity subject to this Policy.

6.4 Aggregated/De-identified Data

We may share aggregated or de-identified data that does not identify you.

7) Where We Store and Process Data

We host our backend with Supabase in a project region we select. Supabase offers multiple regions. Your project is created in one of these regions and your primary database is hosted there.

For file uploads (e.g., photos), Supabase Storage may serve assets using a global CDN to deliver content quickly worldwide; cached copies may be briefly stored at edge locations outside your primary region.

For observability and security, we may use platform logging that can include request metadata (e.g., IP address, user agent), with retention based on plan and configuration. Authentication audit logs may record events (e.g., sign-ins, resets) for security and compliance.

We maintain DPAs with our processors.

8) International Data Transfers

If you are outside the United States, your information may be transferred to or accessed from the U.S. and other countries where our providers operate or cache content (e.g., CDN edge locations). Where required by law, we use appropriate safeguards such as Standard Contractual Clauses (SCCs) and vendor DPAs, and we limit transfers to what is necessary to provide the Services.

9) Security

We use technical and organizational measures aligned with industry standards, including encryption in transit (TLS) and encryption of sensitive data at rest, role-based access controls, least-privilege, and audit logging where available, secure hashing of passwords, and regular updates and vulnerability management. No method of transmission or storage is 100% secure. If we learn of a breach impacting your information, we will notify you by email consistent with applicable law and this Policy.

10) Data Retention

Account Data: kept while your account is active.
User Content: kept until you delete it or delete your account.
Deleted Data: removed from active systems within 30 days; backup copies may persist for up to 90 days (then overwritten in the ordinary course of business).
Marketing Preferences: updated immediately upon request.

11) Your Rights and Choices

11.1 In-App Controls

You can access, export, correct, or delete your data from Account → Settings. An in-app Delete Account feature is provided; deleting your account triggers deletion of associated personal data from active systems per Section 10.

11.2 Opt-Out of Marketing

Use unsubscribe links in emails, reply STOP to SMS, or adjust preferences in-app.

11.3 EU/EEA/UK Rights

Where GDPR/UK GDPR applies, you have the right to access, rectify, erase, restrict, object, and port your data, and to withdraw consent at any time (without affecting prior lawful processing). You may also lodge a complaint with your local supervisory authority.

11.4 U.S. State Rights (CA, CO, CT, UT, VA, etc.)

Depending on your state, you may have rights to know/access, correct, delete, obtain a portable copy, and to opt-out of “sales” or “sharing” for cross-context behavioral advertising.

We do not “sell” or “share” personal information as those terms are defined under the California Privacy Rights Act (CPRA). If this changes, we will update this Policy and provide a “Do Not Sell or Share” mechanism.
You may use an authorized agent (CA) to submit a request, subject to verification.

Submitting Requests. Use the in-app controls or email privacy@phenohunt.com. We will verify your identity (e.g., email verification) before fulfilling your request. Appeals: If we deny a request (e.g., VA), you may appeal by replying to our decision notice or emailing privacy@phenohunt.com.

11.5 Do Not Track / Global Privacy Control

Our app does not respond to browser Do Not Track signals. If we implement cross-context behavioral advertising on the web in the future, we will evaluate and honor applicable Global Privacy Control (GPC) signals consistent with law.

12) Children’s Privacy

The Services are not for children. We do not knowingly collect personal information from individuals under the applicable age threshold in your jurisdiction and, in any case, not from users under 21 for the app. If you believe a minor provided data, contact privacy@phenohunt.com.

13) Additional Disclosures About Your Content

EXIF/GPS in Images: Uploaded photos may contain embedded metadata (e.g., EXIF, GPS coordinates). Consider removing sensitive metadata before uploading.
Sensitive Categories: Do not upload content you are not legally permitted to possess, store, or share. We do not review content for legal compliance.

14) Third-Party Sign-In and Links

If you use Google Sign-In, data we receive is governed by this Policy; Google’s processing is governed by Google’s privacy policy. Third-party sites or services linked from the app are governed by their own policies.

15) State-Specific Notice for California Residents (Notice at Collection)

Categories collected: Identifiers (email, device IDs), commercial information (in-app purchases if any), internet/network activity (usage, logs), geolocation (coarse location via IP only), and user-generated content (photos, notes).

Purposes: to provide services, secure and debug, analytics, account management, messaging (transactional/marketing with consent), and compliance.

Retention: as described in Section 10.

Selling/Sharing: We do not sell or share personal information for cross-context behavioral advertising.

Non-discrimination: We will not discriminate against you for exercising your privacy rights.

Financial Incentives: None at this time.

16) Changes to this Policy

We may update this Policy to reflect changes to our practices or applicable law. If changes are material, we will notify you by email and/or by an in-app notice. The “Last Updated” date shows the latest revision.

17) Contact

Soco Supply, LLC (Phenohunt)
1535 Farmers Ln 243, Santa Rosa, CA 95405, USA

General: support@phenohunt.com
Privacy: privacy@phenohunt.com
Policy URL (recommended): https://app.phenohunt.com/privacy

18) Region/Hosting and Vendor Transparency (Summary)

Hosting & Regions (Supabase): Your project runs in a selected region; your primary database is hosted there.
Storage/CDN: Files you upload may be served through a global CDN which can cache content at edge locations worldwide for performance.
Logs & Audit: Platform logs may include request metadata (e.g., IP, user agent) with retention tied to plan; auth audit logs record authentication events for security and compliance.
DPA: We maintain Data Processing Agreements with our processors.